Hackers of India

DOM XSS – Encounters of the 3rd Kind

 Bishan Singh 


Presentation Material

Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher) from ClubHack


Video’s for the talk are given below

Frontend development paradigm has shifted to Rich Internet Applications. Existing and newer technologies are creating nearly unlimited opportunities that drive better user engagement and rich experience. Along, they bring new attack vectors and exponentially raise severity and manifestation of existing ones like DOM XSS. We are in an era where a lot of code sits on the browser necessitating defensive coding or at the minimum context specific validation of un-trusted input on the Fronted, that typically existed server-side.

Existence of DOM XSS vulnerabilities in the open is alarming if statistics and disclosures are anything to go by – 56 out of Alexa top 100 sites vulnerable – 2370 vulnerabilities on 92 sites out of 850 Fortune 500 sites tested – in the list top 5 security issues for 2011 according to security researchers.

This is a highly demo oriented talk covering following major areas – evolution of DOM XSS – root cause, taint sources and sinks – detection and analysis (covers DOMinator) – mitigation techniques leveraging defensive coding and output encoding – covers issues and precautions needed with jQuery and YUI, the most popular JS libraries